+/*
+ * Copyright (c) 2006-2012 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+//
+// requirement - Code Requirement Blob description
+//
+#ifndef _H_REQUIREMENT
+#define _H_REQUIREMENT
+
+#include <security_utilities/blob.h>
+#include <security_utilities/superblob.h>
+#include <security_utilities/hashing.h>
+#include <Security/CodeSigning.h>
+#include "codedirectory.h"
+#include <map>
+
+namespace Security {
+namespace CodeSigning {
+
+
+//
+// Single requirement.
+// This is a contiguous binary blob, starting with this header
+// and followed by binary expr-code. All links within the blob
+// are offset-relative to the start of the header.
+// This is designed to be a binary stable format. Note that we restrict
+// outselves to 4GB maximum size (4 byte size/offset), and we expect real
+// Requirement blobs to be fairly small (a few kilobytes at most).
+//
+// The "kind" field allows for adding different kinds of Requirements altogether
+// in the future. We expect to stay within the framework of "opExpr" requirements,
+// but it never hurts to have a way out.
+//
+class Requirement: public Blob<Requirement, 0xfade0c00> {
+public:
+ class Maker; // makes Requirement blobs
+ class Context; // evaluation context
+ class Reader; // structured reader
+ class Interpreter; // evaluation engine
+
+ // different forms of Requirements. Right now, we only support exprForm ("opExprs")
+ enum Kind {
+ exprForm = 1 // prefix expr form
+ };
+
+ void kind(Kind k) { mKind = k; }
+ Kind kind() const { return Kind(uint32_t(mKind)); }
+
+ // validate this requirement against a code context
+ void validate(const Context &ctx, OSStatus failure = errSecCSReqFailed) const; // throws on all failures
+ bool validates(const Context &ctx, OSStatus failure = errSecCSReqFailed) const; // returns on clean miss
+
+ // certificate positions (within a standard certificate chain)
+ static const int leafCert = 0; // index for leaf (first in chain)
+ static const int anchorCert = -1; // index for anchor (last in chain)
+
+ // the SHA1 hash of the canonical "Apple Anchor", i.e. the X509 Anchor
+ // that is considered "Apple's anchor certificate", as defined by hashOfCertificate().
+#if defined(TEST_APPLE_ANCHOR)
+ static const char testAppleAnchorEnv[];
+ static const SHA1::Digest &testAppleAnchorHash();
+#endif //TEST_APPLE_ANCHOR
+
+ // common alignment rule for all requirement forms
+ static const size_t baseAlignment = sizeof(uint32_t); // (we might as well say "four")
+
+ // canonical (source) names of Requirement types (matched to SecRequirementType in CSCommon.h)
+ static const char *const typeNames[];
+
+ IFDUMP(void dump() const);
+
+private:
+ Endian<uint32_t> mKind; // expression kind
+};
+
+
+//
+// An interpretation context
+//
+class Requirement::Context {
+protected:
+ Context()
+ : certs(NULL), info(NULL), entitlements(NULL), identifier(""), directory(NULL) { }
+
+public:
+ Context(CFArrayRef certChain, CFDictionaryRef infoDict, CFDictionaryRef entitlementDict,
+ const std::string &ident, const CodeDirectory *dir)
+ : certs(certChain), info(infoDict), entitlements(entitlementDict), identifier(ident), directory(dir) { }
+
+ CFArrayRef certs; // certificate chain
+ CFDictionaryRef info; // Info.plist
+ CFDictionaryRef entitlements; // entitlement plist
+ std::string identifier; // signing identifier
+ const CodeDirectory *directory; // CodeDirectory
+
+ SecCertificateRef cert(int ix) const; // get a cert from the cert chain (NULL if not found)
+ unsigned int certCount() const; // length of cert chain (including root)
+};
+
+
+//
+// exprForm opcodes.
+//
+// Opcodes are broken into flags in the (HBO) high byte, and an opcode value
+// in the remaining 24 bits. Note that opcodes will remain fairly small
+// (almost certainly <60000), so we have the third byte to play around with
+// in the future, if needed. For now, small opcodes effective reserve this byte
+// as zero.
+// The flag byte allows for limited understanding of unknown opcodes. It allows
+// the interpreter to use the known opcode parts of the program while semi-creatively
+// disregarding the parts it doesn't know about. An unrecognized opcode with zero
+// flag byte causes evaluation to categorically fail, since the semantics of such
+// an opcode cannot safely be predicted.
+//
+enum {
+ // semantic bits or'ed into the opcode
+ opFlagMask = 0xFF000000, // high bit flags
+ opGenericFalse = 0x80000000, // has size field; okay to default to false
+ opGenericSkip = 0x40000000, // has size field; skip and continue
+};
+
+enum ExprOp {
+ opFalse, // unconditionally false
+ opTrue, // unconditionally true
+ opIdent, // match canonical code [string]
+ opAppleAnchor, // signed by Apple as Apple's product
+ opAnchorHash, // match anchor [cert hash]
+ opInfoKeyValue, // *legacy* - use opInfoKeyField [key; value]
+ opAnd, // binary prefix expr AND expr [expr; expr]
+ opOr, // binary prefix expr OR expr [expr; expr]
+ opCDHash, // match hash of CodeDirectory directly [cd hash]
+ opNot, // logical inverse [expr]
+ opInfoKeyField, // Info.plist key field [string; match suffix]
+ opCertField, // Certificate field [cert index; field name; match suffix]
+ opTrustedCert, // require trust settings to approve one particular cert [cert index]
+ opTrustedCerts, // require trust settings to approve the cert chain
+ opCertGeneric, // Certificate component by OID [cert index; oid; match suffix]
+ opAppleGenericAnchor, // signed by Apple in any capacity
+ opEntitlementField, // entitlement dictionary field [string; match suffix]
+ opCertPolicy, // Certificate policy by OID [cert index; oid; match suffix]
+ opNamedAnchor, // named anchor type
+ opNamedCode, // named subroutine
+ exprOpCount // (total opcode count in use)
+};
+
+// match suffix opcodes
+enum MatchOperation {
+ matchExists, // anything but explicit "false" - no value stored
+ matchEqual, // equal (CFEqual)
+ matchContains, // partial match (substring)
+ matchBeginsWith, // partial match (initial substring)
+ matchEndsWith, // partial match (terminal substring)
+ matchLessThan, // less than (string with numeric comparison)
+ matchGreaterThan, // greater than (string with numeric comparison)
+ matchLessEqual, // less or equal (string with numeric comparison)
+ matchGreaterEqual, // greater or equal (string with numeric comparison)
+};
+
+
+//
+// We keep Requirement groups in SuperBlobs, indexed by SecRequirementType
+//
+typedef SuperBlob<0xfade0c01> Requirements;
+
+
+//
+// Byte order flippers
+//
+inline CodeSigning::ExprOp h2n(CodeSigning::ExprOp op)
+{
+ uint32_t intOp = (uint32_t) op;
+ return (CodeSigning::ExprOp) ::h2n(intOp);
+}
+
+inline CodeSigning::ExprOp n2h(CodeSigning::ExprOp op)
+{
+ uint32_t intOp = (uint32_t) op;
+ return (CodeSigning::ExprOp) ::n2h(intOp);
+}
+
+
+inline CodeSigning::MatchOperation h2n(CodeSigning::MatchOperation op)
+{
+ return CodeSigning::MatchOperation(::h2n((uint32_t) op));
+}
+
+inline CodeSigning::MatchOperation n2h(CodeSigning::MatchOperation op)
+{
+ return CodeSigning::MatchOperation(::n2h((uint32_t) op));
+}
+
+
+} // CodeSigning
+} // Security
+
+#endif //_H_REQUIREMENT
projects / apple / security.git / blobdiff